Difference between revisions of "OPS335 DNS Lab"

From CDOT Wiki
Jump to: navigation, search
(Created page with ' - OPS335 - OPEN SERVER ADMINISTRATION Lab #02 FOCUS: Basic IP Tables In this lab you will learn how to use iptables to build a simple Linux firewall. Part A: Building a …')
 
Line 1: Line 1:
 +
OPEN SERVER ADMINISTRATION
 +
 +
Lab #03
 +
 +
FOCUS: Domain Name System
 +
In this lab you will configure a Linux host to be a DNS server for the rest of the machines in your intranet. You'll use example.org as your domain with IP addresses in the range 192.168.X.1 - 192.168.X.254. The server will handle all queries for names in the example.org domain and all reverse lookups for addresses in the given range of local IP numbers. The server will pass DNS queries for other names and addresses out to the Internet (i.e. to Seneca's DNS server).
 +
 +
You're going to populate your server with the following records:
 +
 +
Fully Qualified Domain Name
 +
IP Address
 +
 +
f13.example.org
 +
192.168.X.1
 +
 +
vm01.example.org
 +
192.168.X.2
 +
 +
vm02.example.org
 +
192.168.X.3
 +
 +
vm03.example.org
 +
192.168.X.4
 +
 +
NOTE: For those of you using Fedora 13 installed on one removable HD and used as a host for one or more guest VMs, X will default to 122. You need at least two machines to do this lab (one host and one guest). The first will be set up as your gateway/firewall and DNS server. The others will be client hosts inside the intranet.
 +
 +
Here's what your network will look like:
 +
Part A: Perform these steps on your gateway/firewall/DNS machine.
 +
Start up your Fedora 13 PC, login as joker, open a terminal window and "su -" to root. This PC will be f13. It will be your gateway/firewall as well as the domain name server for your intranet.
 +
Ensure you are connected to the Internet. Use firefox to authenticate yourself so you can surf the web outside of the Seneca domain.
 +
Use yum to update your system if necessary.
 +
yum update
 +
 +
Use yum to install the DNS server.
 +
 +
yum install bind
 +
 +
Also start your ssh server.
 +
 +
service sshd start
  
 +
Set your hostname to f13.
  
- OPS335 -
+
hostname f13
  
OPEN SERVER ADMINISTRATION
+
Set your domainname to example.org.
 +
 
 +
domainname example.org
 +
 
 +
Edit the file /etc/named.conf and enter the following: But use your own X value where applicable. If no file exists, create one. If one is already there, delete it and make a new one.
 +
 
 +
options {
 +
directory "/var/lib/named";
 +
auth-nxdomain no;
 +
forwarders { 142.204.1.2; 142.204.43.43;};
 +
};
 +
 
 +
zone "localhost" {
 +
type master;
 +
file "localhost.zone";
 +
};
 +
 
 +
zone "X.168.192.in-addr.arpa" {
 +
type master;
 +
file "mydb-for-192-168-X";
 +
};
 +
 
 +
zone "example.org" {
 +
type master;
 +
file "mydb-for-example-dot-org";
 +
};
 +
 
 +
Make a new directory called 'named', like this
 +
 
 +
mkdir /var/lib/named
 +
 
 +
Now edit /var/lib/named/localhost.zone and enter the following:
 +
$TTL 604800
 +
@ IN SOA localhost. root.localhost. (
 +
1 ; Serial
 +
604800 ; Refresh
 +
86400 ; Retry
 +
2419200 ; Expire
 +
604800 ); Negative Cache TTL
 +
;
 +
@ IN NS localhost.
 +
@ IN A 127.0.0.1
 +
 
 +
Now edit /var/lib/named/mydb-for-example-dot-org and enter the following: But use your own X value where applicable.
 +
 
 +
$TTL 604800
 +
@ IN SOA localhost. root.localhost. (
 +
1 ; Serial
 +
604800 ; Refresh
 +
86400 ; Retry
 +
2419200 ; Expire
 +
604800 ); Negative Cache TTL
 +
;
 +
@ IN NS localhost.
 +
f13 IN A 192.168.X.1
 +
vm01 IN A 192.168.X.2
 +
vm02 IN A 192.168.X.3
 +
vm03 IN A 192.168.X.4
 +
 
 +
Next, edit /var/lib/named/mydb-for-192-168-X and enter the following:
 +
 
 +
$TTL 604800
 +
@ IN SOA localhost. root.localhost. (
 +
1 ; Serial
 +
604800 ; Refresh
 +
86400 ; Retry
 +
2419200 ; Expire
 +
604800 ); Negative Cache TTL
 +
;
 +
@ IN NS localhost.
 +
1 IN PTR f13.example.org
 +
2 IN PTR vm01.example.org
 +
3 IN PTR vm02.example.org
 +
4 IN PTR vm03.example.org
 +
 
 +
Now set up your resolver to point to itself. Edit /etc/resolv.conf, delete what's there and enter this data instead. Remember to use your value for X.
 +
 
 +
nameserver 192.168.X.1
 +
domain example.org
 +
 
 +
Start your DNS server with the command
 +
service named start
 +
 
 +
Check that your name server is running
 +
 
 +
ps ax | grep named
 +
or
 +
service named status
 +
 
 +
When starting or restarting your name server view the log file (/var/log/messages) to ensure it started without error.
 +
 
 +
Try a few lookups:
 +
 
 +
host f13.example.org
 +
host vm01.example.org
 +
host vm02.example.org
 +
host vm03.example.org
 +
host cbc.ca
 +
 
 +
Now try a few reverse lookups:
 +
 
 +
host 192.168.X.1
 +
host 192.168.X.2
 +
host 192.168.X.3
 +
host 192.168.X.4
 +
 
 +
Part B: Perform these steps on your Intranet machine.
 +
Use virt-manager on Fedora 13 to install at least one VM called vm01. Feel free to install several more if you have time. Make sure the host name is set to vm01 and the domain is example.org. You may use vm01 from the previous lab if you wish.
 +
On this machine edit the /etc/resolv.conf file and enter the following:
 +
 
 +
nameserver 192.168.X.1
 +
domain example.org
 +
 
 +
Now try the commands
 +
 
 +
host f13.example.org
 +
host vm01.example.org
 +
host vm02.example.org
 +
host vm03.example.org
 +
host yahoo.ca
  
Lab #02
+
And the commands
  
FOCUS: Basic IP Tables
+
host 192.168.X.1
 +
host 192.168.X.2
 +
host 192.168.X.3
 +
host 192.168.X.4
  
In this lab you will learn how to use iptables to build a simple Linux firewall.
+
Now, still on the second machine, try surfing the web with Firefox. NOTE: you should not need to authenticate yourself through SeneNet on this machine.
  
Part A:  Building a Simple Firewall
+
Finally, on all machines in your network, experiment with the following commands. Be sure to use several different command options to learn and understand  how they work.
Login as joker to your Fedora 13 PC. NOTE: It's not necessary to use a VM for this lab. Just use your original Fedora system created in lab #0.
 
Open a terminal window and "su -" to root.
 
Disable your current firewall. i.e. flush all rules in all chains in all tables.
 
Now build a custom firewall by performing the following steps:
 
  
Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
+
host
Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
+
dig
Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.
+
nslookup
Create a new chain named MYSSH in the filter table.
+
Part C: Now answer the following questions.
Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.
 
Add a rule to your MYSSH chain to deny all traffic from 142.204.141.XXX (XXX is the PC beside you). Also log these denied packets with log level 'info'.
 
Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.
 
Make a new chain named MYICMP in the filter table.
 
Add a rule to your MYICMP chain that denies ICMP pings from 142.204.141.XXX (the PC beside you).
 
Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of 11:22:33:44:55:66 (NOTE: to test this you'll have to change the MAC address of the PC beside you with the ifconfig command).
 
Add a rule to your MYICMP chain that allows ICMP pings from anywhere.
 
Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
 
Change the default policy on the INPUT chain in the filter table to DROP.
 
Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it.
 
Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.
 
Use iptables-save command to save your firewall rules.
 
  
Part B: Answer the following questions
+
What is your full name and nine digit Seneca ID?
What is your full name and Seneca student ID?
+
Use iptables-save command to show the rules relating to DNS. Only show these rules.
Show your firewall rules using the output of the iptables-save command.
+
Show the log messages generated when starting your DNS server.
Show the results of your nmap scans from part A. Be sure to also show the exact nmap command you used.
+
What is a zone file and what is it used for?
Show the log records generated by your invalid ssh attempts in part A.
+
Name the zone files used in this lab.
What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from 142.204.141.XXX to your host?
+
What is the purpose of /etc/nsswitch.conf?
 +
What is the purpose of /etc/resolv.conf?
 +
Under what circumstances does DNS use TCP vs UDP?
 +
What is meant by the term "negative cache"?
 +
Name 5 top level domains.

Revision as of 22:31, 30 August 2011

OPEN SERVER ADMINISTRATION

Lab #03

FOCUS: Domain Name System In this lab you will configure a Linux host to be a DNS server for the rest of the machines in your intranet. You'll use example.org as your domain with IP addresses in the range 192.168.X.1 - 192.168.X.254. The server will handle all queries for names in the example.org domain and all reverse lookups for addresses in the given range of local IP numbers. The server will pass DNS queries for other names and addresses out to the Internet (i.e. to Seneca's DNS server).

You're going to populate your server with the following records:

Fully Qualified Domain Name IP Address

f13.example.org 192.168.X.1

vm01.example.org 192.168.X.2

vm02.example.org 192.168.X.3

vm03.example.org 192.168.X.4

NOTE: For those of you using Fedora 13 installed on one removable HD and used as a host for one or more guest VMs, X will default to 122. You need at least two machines to do this lab (one host and one guest). The first will be set up as your gateway/firewall and DNS server. The others will be client hosts inside the intranet.

Here's what your network will look like: Part A: Perform these steps on your gateway/firewall/DNS machine. Start up your Fedora 13 PC, login as joker, open a terminal window and "su -" to root. This PC will be f13. It will be your gateway/firewall as well as the domain name server for your intranet. Ensure you are connected to the Internet. Use firefox to authenticate yourself so you can surf the web outside of the Seneca domain. Use yum to update your system if necessary. yum update

Use yum to install the DNS server.

yum install bind

Also start your ssh server.

service sshd start

Set your hostname to f13.

hostname f13

Set your domainname to example.org.

domainname example.org

Edit the file /etc/named.conf and enter the following: But use your own X value where applicable. If no file exists, create one. If one is already there, delete it and make a new one.

options { directory "/var/lib/named"; auth-nxdomain no; forwarders { 142.204.1.2; 142.204.43.43;}; };

zone "localhost" { type master; file "localhost.zone"; };

zone "X.168.192.in-addr.arpa" { type master; file "mydb-for-192-168-X"; };

zone "example.org" { type master; file "mydb-for-example-dot-org"; };

Make a new directory called 'named', like this

mkdir /var/lib/named

Now edit /var/lib/named/localhost.zone and enter the following: $TTL 604800 @ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ); Negative Cache TTL

@ IN NS localhost. @ IN A 127.0.0.1

Now edit /var/lib/named/mydb-for-example-dot-org and enter the following: But use your own X value where applicable.

$TTL 604800 @ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ); Negative Cache TTL

@ IN NS localhost. f13 IN A 192.168.X.1 vm01 IN A 192.168.X.2 vm02 IN A 192.168.X.3 vm03 IN A 192.168.X.4

Next, edit /var/lib/named/mydb-for-192-168-X and enter the following:

$TTL 604800 @ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ); Negative Cache TTL

@ IN NS localhost. 1 IN PTR f13.example.org 2 IN PTR vm01.example.org 3 IN PTR vm02.example.org 4 IN PTR vm03.example.org

Now set up your resolver to point to itself. Edit /etc/resolv.conf, delete what's there and enter this data instead. Remember to use your value for X.

nameserver 192.168.X.1 domain example.org

Start your DNS server with the command service named start

Check that your name server is running

ps ax | grep named or service named status

When starting or restarting your name server view the log file (/var/log/messages) to ensure it started without error.

Try a few lookups:

host f13.example.org host vm01.example.org host vm02.example.org host vm03.example.org host cbc.ca

Now try a few reverse lookups:

host 192.168.X.1 host 192.168.X.2 host 192.168.X.3 host 192.168.X.4

Part B: Perform these steps on your Intranet machine. Use virt-manager on Fedora 13 to install at least one VM called vm01. Feel free to install several more if you have time. Make sure the host name is set to vm01 and the domain is example.org. You may use vm01 from the previous lab if you wish. On this machine edit the /etc/resolv.conf file and enter the following:

nameserver 192.168.X.1 domain example.org

Now try the commands

host f13.example.org host vm01.example.org host vm02.example.org host vm03.example.org host yahoo.ca

And the commands

host 192.168.X.1 host 192.168.X.2 host 192.168.X.3 host 192.168.X.4

Now, still on the second machine, try surfing the web with Firefox. NOTE: you should not need to authenticate yourself through SeneNet on this machine.

Finally, on all machines in your network, experiment with the following commands. Be sure to use several different command options to learn and understand how they work.

host dig nslookup Part C: Now answer the following questions.

What is your full name and nine digit Seneca ID? Use iptables-save command to show the rules relating to DNS. Only show these rules. Show the log messages generated when starting your DNS server. What is a zone file and what is it used for? Name the zone files used in this lab. What is the purpose of /etc/nsswitch.conf? What is the purpose of /etc/resolv.conf? Under what circumstances does DNS use TCP vs UDP? What is meant by the term "negative cache"? Name 5 top level domains.

Retrieved from "https://wiki.cdot.senecapolytechnic.ca/w/index.php?title=OPS335_DNS_Lab&oldid=68306"